Audit logs

vairavaniyyappan · ‎2011-02-27

Hi Team,

I am an Security Analyst and i was assigned to a Storage Project[Netapp] for which i need some information in regard with the logging..,

One more query is the log format same as filer O/P in data ontap.

Log Format for Messages
log format:
<PRI> <TIME> ' ' <MESG> '[' <MDATA> ' ' <SIG> ' ']
<DAY> Event Day
<DATE> Event Date
<TIME> Event Time
<[EVENT:> Event Name which is Event ID
<:Severity]> Severity is categories like emerg, alert, crit, err, warning, notice, info, debug
<MSG> Details About Message

Log Format of adtlog.evt
log format:
DATE | TIME | Event ID | Operation Outcome | Number of seconds of duplicated events | Filer Name | Number of duplicate events detected | Protocol used | User | Object | Access Code

Sample Log:
20060801|104748|560|Success|0|DATA|0|CIFS|petemo|DATA|-|\vol\vol0\etc|Read Attributes|

<Date> Date (20060801)
<Time> Time (104742)
<Event ID> Event ID (540,538,560) Support Windows Event ID’s
<Operation Outcome> Operation Details (Success or Failure)
<Number of seconds of duplicated events> Number
<Filer Name> Filer Name (Data)
<Number of duplicate events detected> Number
<Protocol used> Protocol Used (Unknown, CIFS, NFS,HTTP)
<User> User Name (administrator, petemo)
<Object> Object Details e.g.(\vol\vol0\etc\lclgroups.cfg)
<Access Code> (Read:Read Attributes)

Regards,

Iyyappan.

TNQNETAPPADMIN · ‎2011-08-06

https://kb.netapp.com/support/index?page=content&id=1011243

Please make sure that the auditing is enabled in the windows. I have copy pasted the section below for your convenience.

===========================================================
To setup additional items that will be audited, you will need to configure specific audit rules for each share or qtree:

In Computer Manager, go to the qtree or folder that you wish to audit.
Select the Security tab , then the Advanced tab, and select Auditing.
Specify the groups and events to be audited.

============================================================